Skip to Content

Modernizing the Employee User Experience with SAP Fiori Cloud

Business-to-Employee Scenario: Effectively increasing employee job satisfaction and reducing internal training costs by implementing an intuitive user experience
This blueprint provides common information, guidance, and direction for using SAP Fiori apps to increase employee productivity and satisfaction by modernizing the user experience. Through a real customer business scenario, this guide describes a common business challenge resolved by the SAP Cloud Platform. It includes the benefits of the solution, the main SAP Cloud Platform components for licensing considerations, and a visual architecture depicting a basic architectural pattern.

Business Scenario

Companies are embracing digital transformation and creating strategies to adopt to the digital age. Leading the way for digital transformation is a delightful user experience. Companies understand now more then ever how important a simple and intuitive user experience is for increasing productivity, staying competitive and fostering employee satisfaction. SAP is offering the tools to streamline a company journey towards digital transformation.

Regardless of industry, an intuitive user experience is quickly becoming standard for user acceptance and productivity. Below is a table detailing examples of different employee roles and the types of commonly used SAP Fiori Cloud apps to streamline productivity.  Note, this is a subset of the available SAP Fiori cloud apps, for a full list please visit the SAP Fiori apps reference library.

Employee Challenge
Field Sales Representative Various CRM apps to complete tasks in the field including My Accounts, My Leads, My Opportunities, My Tasks and Customer Invoices
HR Manager
Approve Leave Requests, Approve Timesheets, My Inbox
Asset Accountant* Asset Balance, Asset History Sheet, Asset Manager Worklist
Purchaser
Approve Purchase Contracts, Approve Purchase Orders, Track Purchase Order
Employee HR Info
Employee Lookup, My Benefits, My Leave Requests, My Paystubs, My Team Calendar, My Time Events, My Timesheet, and People Profile
Employee Master Data Request* Request Cost Center, Request Customer Change, Request Material, Request Profit Center, Request Supplier, Track My Requests
*Requires SAP S/4HANA Backend System    

Business Example 

A company is driving a global simplification strategy to enhance the user experience of current processes and develop new apps for their employees and external customers. They are running an SAP Business Suite backend system and would like to achieve their goals while capitalizing on their current investment. The project is being driven by a cloud first mentality and a user shift towards mobile devices, a need to increase productivity and drive better user experience, a requirement for an innovation platform to build new apps, and a desire to separate on-premise systems from the UX.

Solution

SAP Fiori Cloud offers apps focused on the most commonly used business scenarios across industries and lines of business.

Solution Description

The retail company has purchased a license for SAP Fiori Cloud. This license provides them access to all the SAP Fiori Cloud apps and the supporting tools such as the SAP Cloud Platform Web IDE Service, OData provisioning service, the Fiori Configuration Cockpit, SAP Fiori launchpad etc. The company will first implement the My Leave Requests and Approve Leave Requests apps. They have an SAP ERP 6.0 system and are running SAP NetWeaver 7.40. They do not have a separate frontend SAP Gateway system and have decided to leverage the SAP OData provisioning service that comes with their SAP Cloud Platform account, understanding that this service is suited only for Business Suite backends and will not provide full SAP Gateway capabilities. They will download and use the Cloud Connector to achieve the connection from their on-premise system to their SAP Cloud Platform account. 

After a successful launch of the two HCM apps to a small group of 50 employees the company will start phase 2 and introduce the My Timesheet and Approve Timesheet apps. In the third phase they will implement retailspecific apps including Lookup retail products, order products and receive products. They have an end goal of rolling these apps out to 2000 employees.

Solution Diagram

SAP Cloud Platform is the extension platform for SAP. It enables developers to develop loosely coupled extension applications securely, thus implementing additional workflows or modules on top of the existing solution they already have.

SAP Cloud Platform supports scenarios for consumers (B2C), for partners (B2B), and for employees (B2E). The solution provided in this blueprint is part of a company B2E scenario. The B2E scenario is related to services for employees and managers of an organization/customers/partners and it defines certain aspects of the architecture:

  • Employees can better manage their time
  • Companies can roll out their SAP Fiori launchpad to an unlimited number of employees
  • Backend data can be accessed any place and at any time from any device
  • More apps can be added and rolled out without the need for formal training or downtimes

Reference Solution Diagram

The following diagram of the solution illustrates a basic architectural pattern of the runtime environment for implementing SAP Fiori Cloud with an on-premise SAP Business Suite system.

Reference Solution Components

The following list describes the main components needed to implement this scenario and the role they play in the overall runtime of the solution.

User Network

SAP Fiori Client – SAP Fiori Client is available in mobile stores and optional for companies to use. It is a native mobile application that easily consumes SAP Fiori-based applications like the SAP Fiori launchpad. It provides additional supportability features, Fiori- specific caching, access to device features, an integrated attachment viewer, and a better user experience than a mobile browser for this specific use case. The SAP Fiori Client for Android or iOS can also be created using Cordova and Kapsel plugins. SAP Fiori Client is designed around Apache Cordova architecture, where device APIs and custom functionality are added through plugins.

Laptop End user uses the browser from the laptop to access the SAP Fiori launchpad for the Fiori applications.

SAP Cloud Platform

Portal Service SAP Fiori launchpad – Quickly and easily create business sites that are fully integrated with SAP Fiori launchpad. It is a web-based tool that provides a single point of access to role-based, applications, processes, and services to users in an organization; thus simplifying the way they work and how they engage with customers, partners, and employees. 

OData provisioning service Enables you to use OData Services to extract data from SAP Business Suite systems so this data can be consumed freely in the cloud. Note the OData provisioning service is optional when using SAP Fiori Cloud apps for SAP Business Suite, the other option is to use an SAP Gateway system on-premise.

SAP Cloud Platform Identity Authentication Service – A cloud solution for identity lifecycle management for SAP Cloud Platform applications, and for on-premise applications. It provides services for authentication, single sign-on, and on-premise integration.

SAP Cloud Platform Connectivity service – This connectivity service allows SAP Cloud Platform applications to access securely remote services that run on the Internet or on-premise

Corporate Network

Cloud Connector – Enables hybrid scenarios in which cloud applications access and extend on-premise systems. It establishes secure technical connectivity between SAP Cloud Platform accounts and a protected on-premise network. In this solution, the Cloud Connector is used to connect SAP Cloud Platform to customer Identity provider and SAP Gateway as part of the customer’s landscape.

Corporate Identity Provider – The corporate user store that provides identifiers for users looking to interact with a system. When the SAP Cloud Platform Identity Authentication service is configured to use the corporate user store, it allows employees to authenticate with their corporate credentials eliminating the need to use another set of credentials for their cloud access. This solution is integrating an LDAP user store running in Windows Azure, but it could be other SAML2.0 compliant Identity providers running in the cloud or on the corporate networks.

SAP S/4HANA System or Business Suite – Is the primary data source system where the business processes are defined and transactional data is stored on a daily basis.

Security

Overview

Security can be a very confusing topic. To make it easier to understand, consider breaking it up into three topics: Authentication, Authorization and Single Sign-on.  

Consider the following topic descriptions:

  1. Authentication is defined in the dictionary as “the process or action of proving or showing something to be true, genuine, or valid.”  In the case of computer programs, it is the process of proving that an application user is who they say they are.
  2. Authorization is defined in the dictionary as “the process or action of being given permission or authority.”  So after you have a valid user on the system the next step is provide the authorizations or permissions to the user. You give the user the access to the application data that they need.
  3. Single Sign-on (SSO) is defined in the dictionary as “service that permits a user to use one set of login credentials to access multiple applications”  Once you have a valid user and their access permissions assigned you want them to be able to access any number of application systems without having to resupply their credentials.

The diagram below depicts at a high level where the three security topics fit in an overall  SAP Cloud Platform solution.

Solution Security Considerations

SAP Cloud Platform Identity Authentication is a cloud solution for identity lifecycle management for SAP Cloud Platform applications, and optionally for on-premise applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers.

When implementing the solution just described, keep in mind that each the three security topics described above have a number of options for how they get implemented with the SAP Cloud Platform.  For this solution, Corporate Identity Provider was the chosen method for doing authentication.  SAP Cloud Platform Authorization was chosen for as the authorization method and Principle Propagation was chosen for single sign-on. 

Below you will find the security solution diagram and the process steps for each of the three chosen security topics. You can go to the entire security blueprint by clicking on the link in the section.  From the security blueprint, you can link to all the other options you have for authentication, authorization and single sign on in the blueprint library.

Scenario Authentication

Corporate Identity Provider - This blueprint provides common information, guidance, and direction for implementing a Corporate Identity Provider as the Identity Provider for applications on the SAP Cloud Platform. It will allow you to use a common source of identities for all your cloud based application.  It provides a standard, internationally adopted method for authentication using SAML assertions.

For more information, visit Corporate Identity Provider | SAP Cloud Platform Blueprint

Scenario Authorization – SAP Cloud Platform Authorization

Authorization -. This blueprint provides common information, guidance, as to how authorizations on the SAP Cloud Platform are implemented and how authorizations relate to identity providers and the applications and services on SAP Cloud Platform.

For more information, visit Authorization | SAP Cloud Platform

Scenario single sign-on

Principle Propagation - This blueprint provides common information, guidance, and direction for implementing principal propagation with X509 certificate from SAP Cloud Platform to the backend system that is running on-premise to achive Single Sign-On. It will allow you to use this method for any endpoint service that accept X509 certficate base authenticion.

More information will be available soon.

Summary

The chosen three methods from the security topics create an end-to-end security solution.  

Learn more

This blueprint highlights important considerations companies need to analyze when implementing SAP Fiori Cloud apps in order to effectively increase employee job satisfaction and reduce internal training costs. However, it is recommended to review further information to help you design and develop your user experience. The following resources are a starting point.

The solution diagram in this guide represents the runtime view. For the Development Solution Diagram you will notice the addition of development tools, which you can read more about in the SAP help Documentation.  

Read more about the development environment in the help documentation.
 
SAP Fiori Cloud Demo: Sign up for an account today!
 
High level overview of the required implementation steps:
System Admin App Consultant
1. Starts the project by first determining which landscape to use 1. Works with the business to understand requirements and determine the most relevant SAP Fiori apps for implementation
2. Ensures SAP Cloud Platform account is setup 2. Tests the backend scenarios to ensure data is coming through. Doing this step here will save time troubleshooting later
3. Configures the Cloud Connector as the secure tunnel between SAP CP and the on-premise system. 3. Extends the out of the box SAP Fiori cloud apps to meet business requirements
4. Shares the aggregated SAP Fiori apps library link with the system admin so the system admin can ensure all required back end components/notes are in place. 4. Performs any backend configurations required
5. Registers the required OData services and tests the services 5. Configures the app(s) in the Fiori Configuration Cockpit (FCC)
6. Assigns required roles to users 6. Tests the apps from the SAP Fiori launchpad to ensure everything is working as expected

For more details and how to steps refer to the Back-End Connectivity with SAP Fiori Cloud Extended Demo Account 3 part blog series.

Using Mutliple Subaccounts for Staged Application Development

The SAP Cloud Platform allows you to achieve isolation between the different application life cycle stages (development, testing and productive) by using multiple subaccounts. This approach ensures better stability and security for productive accounts and ideally follows backend setup. Configuration content and applications can be exported and imported to the target account. For more information visit the help documentation.

Enterprise Architecture Explorer describes the various deployment options for the Frontend Server

SAP Fiori Apps Reference Library provides configuration information for Fiori apps. This library should always be referenced as a precursor to starting any Fiori implementation

SAP Cloud Platform Cloud Connector help guides and Tutorials

SAP Fiori Cloud Landscape Configuration Guide

Back to top